After reading a thread on a gamedev subreddit, there came the topic of open source games. The person claimed that they are less secure than their counterparts with the source code that is closed. He said it was easier for people to see the inner workings of the server and exploit, compared to the black box approach of not knowing how the server works. This does not seem correct to me however. Open Arena seems to be ok and is open source. Also if a lot of logic is done on the server side, wouldn't it be just as hard to cheat?
Are open source multiplayer games less secure? What have I not considered?
Thank you, I am very curious about this topic.
Why is it that some say that open source multiplayer games are less secure?
Are open source multiplayer games less secure? What have I not considered?
The problem of open source is, that cheaters are able to see and use all the source, even the server source code if available. They can easily try to use the source code to recompile a modified client version (enemy radar, see through walls, aiming bots etc) while faking necessary checksums, which is really hard to do with closed-source games. Further on, as side effect, open source is often low on budget and therefor they avoid commercial anti-cheat tool (eg punkbuster?).
The chances of cheats depends on the popularity and how easy it is to cheat. Therefor unpopular, closed source games might be most secure, while really popular games, regardless of being open or close source, are prone to cheating. Thought, open source games, which gains in popularity, will much likely be targeted by cheaters really quickly.
Speaking from personal experience as both a game dev and "1337 h4x0r" (doh!) I can say that my last little project - an aimbot for the open-source multiplayer game engine Assault Cube (http://assault.cubers.net/) - was far easier to accomplish having been able to surf the C code itself.
It doesn't necessarily make the impossible possible, it just makes the possible more readable and apparent.
It is absolutely true that open source lowers the bar for certain kinds of cheats!
Open source also lowers the bar for security minded developers to help prevent cheating. Your job is to get as many secure-minded contributors as you get cheating players!
Separately, even if a game is not open source, a determined cheater will be able to cheat. De-compilation and assembly isn't THAT hard to work with.for a skilled programmer.
The draw-back is that it's much harder for a security-minded developer to help prevent cheating in the closed-source world. The relative incentives are less in favor of the developer.
The choice is not at all cut-and-dried. There's pluses and minuses on both sides. And cheating is only one small part of the giant challenge that is developing an online game -- if open source, or closed source, gives you a significant leg up in some other department (schedule, tools, robustness, cost, etc) then that's quite likely to be the deciding factor, rather than the different profiles of cheating/cheaters/mitigation/help.
Its true, but if closed-source software implements no other measures then the kind of "securtiy" it has is derisively called "security through obscurity" in secutrity/hacker circles -- that is to say, it has no security other than being obscured from plain view. It doesn't provide any protection from would-be cheaters as such, it just relies on hope that people will be detered by it not being readily accessible. History shows, however, that even moderately-popular software, closed-source or not, becomes a worthwhile target for crackers and cheaters eventually.
Its a bit like burying your money in the back-yard; instead of the real security of a bank-vault, you rely instead on the obscurity of its location in your yard. But if its known that the money is indeed in your yard, and its known that the score will be worthwhile, then you'll soon start to attract nefarious types.
Unfortunately, most open-source games implement little in the way of *actual* security either -- so in effect, many of these games are hiring sky-writers to publish the exact location and dollar amount of their hidden treasures for all to see and in the common tongue.
Its certainly easy to "crack" an open-source game or server, but its really a bit of a misnomer that that closed games are more secure simply because they are closed.
throw table_exception("(? ???)? ? ???");
Open source makes finding exploits a lot easier. If you play it fast and loose, it'll be a lot quicker for hackers to find exploits within the code or even your design assumptions. If your game isn't particularly secure but the code cannot be reversed engineered easily, it can take more time. Ultimately, if your game is popular, you will be found out either way.
Everything is better with Metal.
By being open source, hackers have more access to your code. By being open source, people concerned about security have more access to your code. Gotta grit your teeth and hope that the latter are contributing more than the hackers are able to hack with source knowledge.
I think making it easier to find exploits is actually a good thing. If everything is closed source and someone malicious exploits it for their benefit then that's all they're able to do. Open source at least allows them to contact you and explain exactly what the problem is. I think It's much better to get hackers on your side rather than banning them as they're probably going to be more willing to help you fix problems rather than using them to ruin the experience of others.
That's the attitude I'm going to have at least if people start hacking my game, I'll embrace it.
What these people miss is they are comparing apples to oranges. You cannot compare a commercial closed source game that was built to make money, to an open source game that is someone's hobby.
The fact is that all kinds of businesses that handle sensitive data use open source end to end. If closed source was inherently more secure, then you should be seeing linux and other open source applications that are popular on the internet getting hacked much more often then windows and it's closed source versions. But that simply has not happened.
I'm not surprised that this attitude prevails in the game industry. One of my biggest complaints about the game industry is how little it contributes to or understands open source. Here are a couple of things that actually happened to me while working at a large game studio.
- Senior engineer in another division telling me they don't do unit testing, because they have integration tests.
- Same guy didn't understand why git would be better then a wiki page for code sharing.
- On multiple occasions we came up with bug fixes for everything from the linux kernel to nginx. Never contributed any of that back.
- I was not allowed to work on any game related open source projects while working at the company.
And of course this same company used open source everywhere. They would never have gotten to where they were without it.
While I'm sure the correlation coefficient is greater than zero, I'm also sure that it's not one.
Regarding taking open source without giving back, I also know of companies that do that, but most of them are not as bad as Goldman Sachs, which reportedly rips out all copyright/license from libraries they take, and change it to Goldman Sachs proprietary, and then throw programmers in prison if they actually abide by the original license.
Anyway, yes, you find varying degrees of maturity in all walks of life, and there exists large game studios that are very mature, and others that aren't. You also find hobbyists that are very mature, and others that aren't. In the end, maturity is much more important to the quality of code produced than most other axes. And when it comes to security, code quality is a lot more important than most other factors. You can make a fun, commercially successful game on top of terribly misguided rendering code. You can't make a secure system on top of misguided security code.